There has been lots of recent press relating to DLL hijacking. I have tested this out and created a video demonstration to help clear this up as slightly confusing. This is a client side exploit so the user must browse the SMB share or the HTTP server. There is no so called patch from Microsoft as it is not just a MS issue, the issue is much bigger and any 3rd party Windows application could be vulnerable. There is a great audit tool and article by HD Moore here that you can run and find which DLLs and extensions are vulnerable on your systems. From tests I have made the DLLs that were vulnerable on a Windows XP system were also vulnerable on a fully patched Windows 7 system. Microsoft has released a new tool that basically allows you to add a new registry key and control how DLLs are handled. In a nutshell how the exploit works is it create a webdav shell with file extensions that it knows your system is vulnerable to. Once the victim opens the share and one of the files a malicious DLL is placed into this directory and the associated application uses this rather than the local version and is exploited. Apple ITunes suffered from this and was patched 4 months ago.

i.e. your system is vulnerable to .WAB extensions, when a share is browsed and a .wab file is opened (not a malicious file just normal blank file with the extension set) a malicious DLL for that is inserted into the same folder. The application itself then uses the closet found DLL file (the exploit) and runs. The new MS tool lets you control how DLLs are handled as it is not just Microsoft products that have issues here, it is a much wider problem.

Metasploit Article:
Microsoft Article:

Fixes: Apply the Microsoft tool, or block Outbound SMB/Webdav connections

Social Sharing